Rule 206(4)-9 (17 C.F.R. 275.206(4)-9) under the Investment Advisers Act of 1940

ICR 202205-3235-041 · OMB 3235-0791 · Received in OIRA

Forms and Documents

Document	Type	Status	Availability
Rule 206(4)-9 (P-Cyber) Supporting Statement (Cyber).pdf	Supporting Statement A	Uploaded 2022-05-23	Repair queued

IC Document Collections

IC ID	Collection	Type	Status	Form
253780	Rule 206(4)-9 (17 C.F.R. 275.206(4)-9) under the Investment Advisers Act of 1940		New

ICR Details

OMB Control No:	ICR Reference No: 202205-3235-041
Status: Received in OIRA	Previous ICR Reference No:
Agency/Subagency: SEC	Agency Tracking No:
Title: Rule 206(4)-9 (17 C.F.R. 275.206(4)-9) under the Investment Advisers Act of 1940
Type of Information Collection: New collection (Request for a new OMB Control Number)	Common Form ICR: No
Type of Review Request: Regular	Date Submitted to OIRA: 05/23/2022

	Requested	Previously Approved
Expiration Date	36 Months From Approved
Responses	14,774	0
Time Burden (Hours)	320,153	0
Cost Burden (Dollars)	51,295,328	0

Abstract: Proposed rule 206(4)-9 would require registered investment advisers to adopt and implement cybersecurity-related compliance policies and procedures and to review those policies and procedures annually.

Authorizing Statute(s): US Code: 15 USC 80b-3(d) Name of Law: Investment Advisers Act of 1940
   US Code: 15 USC 10b-6(4) Name of Law: Investment Advisers Act of 1940
   US Code: 15 USC 80b-11(a) Name of Law: Investment Advisers Act of 1940

Citations for New Statutory Requirements: None

Associated Rulemaking Information
RIN:	Stage of Rulemaking:	Federal Register Citation:	Date:
3235-AN08	Proposed rulemaking	87 FR 13524	03/09/2022

Federal Register Notices & Comments
Did the Agency receive public comments on this ICR? No

Number of Information Collection (IC) in this ICR: 1

IC Title	Form No.	Form Name
Rule 206(4)-9 (17 C.F.R. 275.206(4)-9) under the Investment Advisers Act of 1940

ICR Summary of Burden

	Total Request	Change Due to Agency Discretion
Annual Number of Responses	14,774	14,774
Annual Time Burden (Hours)	320,153	320,153
Annual Cost Burden (Dollars)	51,295,328	51,295,328

Burden increases because of Program Change due to Agency Discretion: Yes

Burden Increase Due to: Miscellaneous Actions

Burden decreases because of Program Change due to Agency Discretion: No

Burden Reduction Due to:

Short Statement: The estimated annual burden hours associated with rule 206(4)-9, if adopted, is 320,152.58 hours. In addition, the external cost burden associated with rule 206(4)-9 is $51,295,328. These annual burden hours and external cost burden are due to proposed rule 206(4)-9 requiring advisers to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks.

Annual Cost to Federal Government:

Does this IC contain surveys, censuses, or employ statistical methods? No

Does this ICR request any personally identifiable information (see OMB Circular No. A-130 for an explanation of this term)? Please consult with your agency's privacy program when making this determination. No

Does this ICR include a form that requires a Privacy Act Statement (see 5 U.S.C. §552a(e)(3))? Please consult with your agency's privacy program when making this determination. No

Is this ICR related to the Affordable Care Act [Pub. L. 111-148 & 111-152]? No

Is this ICR related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, [Pub. L. 111-203]? No

Is this ICR related to the American Recovery and Reinvestment Act of 2009 (ARRA)? No

Is this ICR related to the Pandemic Response? No

Agency Contact: Thomas Strumpf 202 551-3135

Common Form ICR: No